MH Consulting

Welcome to my quick intro to Windows Server 2003.

I will add more to this as I have time, including how-to tutorials.

Windows servers act as a central location to apply security features and network resources. They have flexible settings that can be set for specific users, user gfsroups, or computers. It is a logical choice for controlling employee or student use on computers.

Windows servers can be used as Domain Controllers, Member Servers, or Standalone Servers. A domain is a group of computers tied together using a single locating of user accounts and security there for domain controllers are used as a central location for authenticating users and applying security. A member server is a server that is part of a domain but is not a controller on the domain. This kind of server may be hosting files, printers, and applications but isn’t used for controlling authenticating and security; instead another server on the network would be set up as a Domain Controller which would control all user accounts in one pflace. The security and access to the resources stored on the member server would be based off of the user accounts stored on the domain controller. Standalone Servers are servers that are part of a workgroup. In this kind of network there is not central location for authenticating users. Each user must have an account on each computer or server they need access to. This can be very difficult to manage for larger businesses because if a user changes their password they must change it on every computer and server in the network they may need access to.

Windows Server 2003 Versions: Standard Enterprise Datacenter Web

Standard Edition - Windows Serve 2003 Standard Edition is meant for small to large businesses. If you are upgrading from Server 2000 this would most likely be the one you chose. The other one you might choose instead would be Enterprise Edition. Standard edition includes most of the features of the Enterprise Edition without the cost. Most common uses for standard edition are DNS, DHCP, web server, terminal server, internet sharing, File and Print services as well as an Active Directory Domain Controller. Standard Edition is limited by it hardware, it only supports up to 4 CPU’s and 4 GB of RAM. It does not support Itanium, Intel’s higher end 64 bit processors or clustering (the ability to link two or more servers to act as one).

Enterprise Edition – Windows Server 2003 Enterprise Edition is meant for small to large businesses that use higher more demanding applications. Where Standard Edition lacks the support for higher end hardware, Enterprise Edition supports the higher end hardware that a business may need to run a higher end application. Enterprise Edition supports all the same features Standard Edition but Enterprise Editions can be run on much faster hardware. Enterprise edition will support up to 32 GB of RAM on x86 systems and 64 GB on Itanium systems. It supports up to 8 CPU’s and the servers can be clustered up to 8 nodes.

Datacenter Edition – Windows Server 2003 Enterprise Edition can be used for all the same things Standard and Enterprise edition but must be used on higher end hardware. Datacenter is meant for businesses with very large database that lots of people access and need without any interruptions or lag time. Datacenter can only be used on systems with at least 8 CPU’s and up to 32 CPU’s for x86 systems or 64 CPU’s for Itanium systems. It supports up to 64 GB of RAM (x86) and 512 GB of RAM in Itanium systems. Datacenter can also be clustered up to 8 nodes. One thing to note about Datacenter is it is only available as original equipment manufacturers (OEM’s). What this means is that you cannot upgrade any of your systems to Datacenter. It must be purchased with a new system.

Web Server Edition – Server 2003 Web Edition is meant for hosting web applications or services. It only supports 2 GB of RAM and 2 CPU’s. It cannot be clustered and does not support Itanium processors. It cannot be used as a domain controller, it is really just meant for hosting web services. The reason to choose Web Server Editions is strictly because you don’t need the features that the other versions offer and you want to save some money.

User Accounts
When Server 2003 is configured as a standalone server any user that needs access to the server either locally or over the network must have an account on that server. Username and passwords must also be the same on the remote computer as it is on the server. This can create more work for network administrators increasing the IT cost. This is the reason why servers can be created as domain controllers.

Domain Controllers hold all user accounts centrally in active directory. By only having one place where user accounts are maintained it simplifies network administration. In a domain environment a user logs on to a client computer, the client computer contacts the domain controller and then the user account is checked and the user is authenticated or rejected. Domain environments also simplify user access to network resources. Instead of having user accounts on every resource and having to assign permissions for each user, in a domain environment an administrator can put the domain user accounts into groups and then assigning permissions on the resources for the groups.

Server 2003 has several new features for user accounts and some are not compatible with older servers. With this in mind Server 2003 has the ability to run in functional levels that are compatible with older systems but by doing this some group features are not accessible unless all servers are running in at least 2003 native or server 2003 functional levels. For this next section if a * is next to the setting the setting is only available in 2000 native or above.

There are two group types, security and distribution. They fall into three scopes global, domain local and universal*. Security groups will probably include most of the types of groups you will create and need. Security groups can be assigned permissions and security settings. Distribution groups are used primarily with email applications and cannot be assigned permissions or security settings.
Global groups are used to organize active directory (AD) objects like user accounts within a local domain. A global group can contain user accounts or other global groups*. They can be members of local groups, domain local groups or universal groups*.

Domain local (DL) groups are used to assign rights and permissions within a local domain. Domain local groups can contain user accounts, global groups, and universal groups* from any domain. DL groups can also contain other DL groups* from the same domain only.

Universal Groups* are used to organize AD objects such as user accounts, or global groups from any domain within a forest. A forest is an AD network that contains 1 or more domains and they all share the same schema. A forest is out of the scope of user accounts so I will explain it later. Universal groups are only available in the 2000 native/2003 functional levels and should also be available in server 2008. Universal groups can contain user accounts, global groups and universal groups from any domain within the forest.

When creating users accounts and groups Microsoft recommends they be organized in a certain way. The acronym A.G.U.DL.P can help you remember how they should be organized. Take the user accounts A and place them into global groups G. The global groups can be placed in universal groups U then the global group or universal group should be placed in a domain local group DL and assigned permissions P.

To create user accounts or groups in an active directory is often easiest to use the Active Directory Users and Computers tool.